No fix for 'critical' hole in Windows 98, ME

Microsoft will not fix a serious flaw in Windows 98 and Windows Millennium Edition because a patch could break other applications.

The security bug relates to Windows Explorer and could let an intruder commandeer a vulnerable PC, Microsoft warned in April. The software maker has made fixes available for Windows Server 2003, Windows XP and Windows 2000, but it has found that eliminating the vulnerability in Windows 98 and ME is "not feasible," it said.

"To do so would require re-engineering a significant amount of a critical core component of the operating system," Microsoft said in a Thursday update to its MS06-015 security bulletin. "After such a re-engineering effort, there would be no assurance that applications designed to run on these platforms would continue to operate."

Instead, Microsoft recommends that people who still use the older operating systems protect their PCs by using a network firewall that filters traffic on TCP Port 139. "Such a firewall will block attacks attempting to exploit this vulnerability from outside of the firewall," it said.

Microsoft is phasing out support for the older operating systems. Windows 98 was released in June 1998, Second Edition followed a year later, and Millennium Edition came out in 2000. Microsoft has been providing fixes for only "critical" flaws the past couple of years and is ending support altogether next month, after its planned July 11 patch release. Windows XP with Service Pack 1 reaches its end of support on Oct. 10, 2006.

Not providing fixes leaves users vulnerable, but software can't be supported forever, said Michael Sutton, a director at security intelligence company iDefense, a part of VeriSign. "At some point, any vendor has to make a business decision to cease product support, and these products are now 7 to 8 years old," he said.

The older Windows versions have never been secure, said Russ Cooper, a senior scientist at Cybertrust, a security vendor in Herndon, Va. "The lack of a 'critical' patch does not weaken these OSes. Instead, it should merely put an end to their perception that they were secure before this fault came to light," he said.

And as far as blocking traffic on port 139 goes, it is a network port that has been abused in the past for attacks, said Don Leatham, director of solutions and strategy at PatchLink. "Most organizations will already have port 139 blocked," he said. "Although it is good that Microsoft is reiterating this, I don't see it being a huge impact."

The best way to secure PCs that run older versions of Windows is upgrading the operating system, Microsoft suggested.

"With the upcoming end (of) support for these products, we strongly recommend that those of you who are still running these older versions of Windows upgrade to a newer, more secure version, such as Windows XP SP2, as soon as possible," Christopher Budd, a staffer in Microsoft's' security response center, wrote on the team's blog.